Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Facebook Bolsters Message Security, Adds OpenPGP

Facebook announced early Monday that has adopted OpenPGP encryption and will let users post their public keys on their profile.

Facebook announced early Monday that the social network is in the process of adopting OpenPGP encryption and that it will give privacy conscious users the ability to post their public keys on their profile.

The feature, which is gradually rolling out to users today, should better lock down messages sent through the service to users’ personal email addresses. As the company’s announcement points out, while Facebook secures its connections to email providers via TLS, the messages it sends to users – as plaintext, with attachments – could still technically be accessed by anyone who has access to those email accounts.

Now, if a user elects to, they can add “end-to-end” encryption to the notification emails that the social network sends to their email address.

“Where encrypted notifications are enabled, Facebook will sign outbound messages using our own key to provide greater assurance that the contents of inbound emails are genuine,” Facebook said in its announcement Monday, adding that users can share their OpenPGP keys from their profile.

The announcement claims that Facebook will use the GNU Privacy Guard standard and support encryption with the RSA or ElGamal algorithms.

“Facebook’s OpenPGP key comprises a long term primary key with short term subkeys; this allows us to frequently rotate our operational keys whilst maintaining the web of trust and a consistent identity over time,” two of the company’s security software engineers Steve Weis and Zac Morris, and Jon MIllican, a software engineer for security infrastructure, wrote Monday.

The engineers claim the company will continue to look into some of GPG’s newer elliptic curve algorithms, along with support for mobile devices, which are not yet supported.

The feature, while only several hours old, was championed by privacy advocates on Monday, including The Committee to Protect Journalists, a New York City-based organization that defends the rights of journalists. Representatives with the nonprofit lauded the move, calling it a substantial improvement for the social network in both safety and usability.

“Security tools like PGP encryption are most effective when they are used widely,” said CPJ Internet Advocacy Coordinator Geoffrey King. “Facebook has taken an important step to help protect users’ private communications by default, and make the risky environment in which journalists work a little bit safer.”

Elsewhere, Runa A. Sandvik, a privacy and security researcher who helped beta test the new feature, rationalized that while one of Facebook’s chief interests may be siphoning up data, it doesn’t absolve the company from protecting that information.

“We often get too hung up on Facebook’s business model and seem to forget that, if anything, the company does care about ensuring safe and easy user access,” Sandvik said Monday.

Facebook has gotten a bad rap over the last few years, especially today’s post-Edward Snowden, post-PRISM world but the company has made some strides as of late when it comes to security.

Last year the company made the social network available to users as a Tor hidden service, making it both easier and more secure to access via the anonymization service and earlier this year it launched ThreatExchange, a massive information sharing platform. Powered almost entirely on its infrastructure the platform helps parse threat data for Pinterest, Yahoo, Tumblr, Twitter, and others.

Sandvik, a privacy advocate who also helped advise Facebook on its Tor hidden service, called the company’s PGP feature another important step in the process of making the service safer to use.

“We can’t tell people not to use Facebook, but we can tell them how to use it safely,” Sandvik said.

Discussion

Ok, it may be early in the morning, but there is one thing that seems a little off to me...
If I have understood this correctly the pgp encryption is going to happen on facebooks servers? becuase in that case it doesn't really protect your info except when it is beeing passed around on the server itself...

@Johan - no, the data within the email (contents) is a encrypted so that when it arrives at the recipients email server, it is not stored in clear text. The user has the private key on their endpoint to decrypt the contents or attachment once they download it from the email server.
That's how I read it anyway.
Cheers.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.